This 1‑pager summarizes the technical and organizational measures that Notion maintains to protect Customer Data under a shared responsibility model.

1. Purpose

This Security Exhibit forms part of the Master Subscription Agreement (the “Agreement”) between Notion Labs, Inc. ("Notion") and Customer, and summarizes the technical and organizational measures that Notion maintains to protect Customer Data under a shared responsibility model, focusing on Notion’s responsibilities.

2. Scope & Relationship to MSA / DPA

• This Exhibit applies to Notion's provision of the Services and Notion's processing of Customer Data.
• This Exhibit is intended to supplement, and not replace, the security and privacy commitments set out in the Agreement and the Data Processing Addendum ("DPA").

3. Information Security Program

• Notion maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Customer Data.
• Notion's information security program is designed to protect Customer Data processed by Notion in connection with the Services, taking into account the nature and sensitivity of such data.
• The program includes administrative, technical, and physical safeguards consistent with general industry-standard practices.
• The program is reviewed and updated periodically to address changes in laws, regulations, industry standards, and risk.

4. Access Control & Identity Management

Access to production systems containing Customer Data is limited and controlled as follows:

• Access is granted on a least‑privilege, business‑need‑to‑know basis.
• Access to such systems is provisioned and de‑provisioned through documented processes and is reviewed periodically.
• Administrative access to production systems is protected by strong authentication controls, including multi‑factor authentication where supported.